ColdFusion must limit concurrent sessions to the Administrator Console.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Part of SRG-APP-000001-AS-000001

Associated with: CCI-000054

SV-76565r1_rule ColdFusion must limit concurrent sessions to the Administrator Console.

Vulnerability discussion

The ColdFusion Administrator Console is used to manage the ColdFusion application server. The console allows a user to configure settings used by hosted applications, maintain connections to external resources, review logs, etc. By disallowing concurrent logons, a user has a method to determine if his account has been comprised (The user will be unable to log into the Administrator Console.) and deters a user from having an open idle session from different work stations which can also be used by an attacker.

Check content

Within the Administrator Console, navigate to the "Administrator" settings under the "Security" menu. If the setting "Allow concurrent login sessions for Administrator Console" is checked, this is a finding.

Fix text

Within the Administrator Console, navigate to the "Administrator" settings under the "Security" menu. To disable concurrent logins, uncheck the "Allow concurrent login sessions for Administrator Console" setting and select the "Submit Changes" button.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer